WPA-Enterprise 2FA FreeRadius where is the problem?

D

Denis2017-02-28 04:04:36

RADIUS

Denis, 2017-02-28 04:04:36

The task is to configure freeradius with a request for a client certificate and a login / password pair from AD.
There is AD 20212 R2, UniFi Controller (Current Version5.2.9 (Build: atag_5.2.9_8748)) and Freeradius (3.0.12) with ntlm_auth.
There is a CA certificate, a client certificate, and a northern one (out of the box). We use Windows 7, PEAP MS-CHAP v2.
With this configuration:

peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
        require_client_cert = no
   }

Everything is working:

(11) eap: Peer sent EAP Response (code 2) ID 65 length 43
(11) eap: Continuing tunnel setup
(11)     [eap] = ok
(11)   } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11)   authenticate {
(11) eap: Expiring EAP session with state 0xa3f6d1f2aab7c86f
(11) eap: Finished EAP session with state 0xa3f6d1f2aab7c86f
(11) eap: Previous EAP request found for state 0xa3f6d1f2aab7c86f, released from                                                                     the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: [eaptls verify] = ok
(11) eap_peap: Done initial handshake
(11) eap_peap: [eaptls process] = ok
(11) eap_peap: Session established.  Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap_peap: Using saved attributes from the original Access-Accept
(11) eap_peap:   User-Name = "test2"
(11) eap_peap:     caching User-Name = "test2"
(11) eap_peap: Saving session f7d69eb235e0c190cb9fb041a359715ca03959e083342b3506                                                                    e62f2a44c637e2 in the disk cache
(11) eap: Sending EAP Success (code 3) ID 65 length 4
(11) eap: Freeing handler
(11)     [eap] = ok
(11)   } # authenticate = ok
(11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/                                                                    default
(11)   post-auth {
(11)     update {
(11)       No attributes updated
(11)     } # update = noop
(11)     [exec] = noop
(11)     policy remove_reply_message_if_eap {
(11)       if (&reply:EAP-Message && &reply:Reply-Message) {
(11)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)       else {
(11)         [noop] = noop
(11)       } # else = noop
(11)     } # policy remove_reply_message_if_eap = noop
(11)   } # post-auth = noop
(11) Sent Access-Accept Id 243 from 10.11.12.6:1812 to 192.168.101.250:47904 len                                                                    gth 0
(11)   User-Name = "test2"
(11)   MS-MPPE-Recv-Key = 0x3d4381f5ae8856173f931331f08099128998347880426c3fcb15                                                                    badfebbf25f9
(11)   MS-MPPE-Send-Key = 0x3fdce394cfb3378a7190958dc1e3004f4eb306d61f5ff936bbc6                                                                    29eb91d5d751
(11)   EAP-Message = 0x03410004
(11)   Message-Authenticator = 0x00000000000000000000000000000000
(11) Finished request

But when changing
require_client_cert = yes
EAP-TLS does not work.

11) eap: Peer sent EAP Response (code 2) ID 230 length 151
(11) eap: Continuing tunnel setup
(11)     [eap] = ok
(11)   } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11)   authenticate {
(11) eap: Expiring EAP session with state 0xf22750c1f6c14964
(11) eap: Finished EAP session with state 0xf22750c1f6c14964
(11) eap: Previous EAP request found for state 0xf22750c1f6c14964, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 141 bytes
(11) eap_peap: Got complete TLS record (141 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: <<< recv TLS 1.0 Handshake [length 0007], Certificate
(11) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
(11) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in SSLv3 read client certificate B
(11) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
(11) eap_peap: ERROR: System call (I/O) error (-1)
(11) eap_peap: ERROR: TLS receive handshake failed during operation
(11) eap_peap: ERROR: [eaptls process] = fail
(11) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 230 length 4
(11) eap: Failed in EAP select
(11)     [eap] = invalid
(11)   } # authenticate = invalid
(11) Failed to authenticate the user

Is such a configuration possible?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Denis, 2017-03-02
@Sat0shi

freeradius.1045715.n5.nabble.com/two-factor-authen...
It is not possible for a Windows Client to authenticate via a certificate and request a login/password pair in AD.

A

Axian Ltd., 2017-02-28
@AxianLTD

Error in SSLv3 read client certificate B
(11) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
(11) eap_peap: ERROR: System call (I/O) error (-1)
-----------------
So, quite specifically, he writes - the client did not return the certificate. You seem to have an error in the client settings.